Kevin Beaumont

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

11:30amWeb
Show threadKevin Beaumont4h ago

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

Show threadRairii   4h ago
@GossiTheDog make it the trifecta by dropping malware that abuses the vscode uninstaller
Show threadfellmoon 馃彺4h ago
@GossiTheDog winget install anthropic.ClaudeCode... it'll be fine, it's just userspace... Like a gazillion other things...
Show threadSteve Loughran4h ago

@GossiTheDog it is permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fund the north korean government.

It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources

Show threadSteve Loughran56m ago
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
Show threadAndrew Golding4h ago

@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.

I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.

Show threadD Ingram4h ago
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
Show threadKevin Beaumont3h ago
@ingram you can probably install VSCode 馃槄
Show threadVessOnSecurity4h ago
@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.
Show threadSass, David3h ago

@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU

https://youtu.be/deBTJdjMc5o

VSCode Extension Deployment with Intune - Bj枚rn Sundling, David Sass - PSConfEU 2025

YouTube
Show threadJade3h ago

@GossiTheDog

"but it's for developers it's allowed to be insecure they surely know what they're doing and think perfectly rationally at all times!"

Show threadJ3h ago

@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest looking at the extensions with the warning that the extensions were a bit of a wild west.

It was shockingly terrible! You can't find or use ANYTHING safely in that tool.

I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.

Show threadRichBartlett 3h ago
@GossiTheDog lol MS didn't even follow their own guidelines
Show thread*sigh*Ber nard2h ago

@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"

Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop!

Show threadChris Adams4h ago
@GossiTheDog especially bad in light of rejecting the requests for cooldowns in the past https://github.com/microsoft/vscode/issues/79689
[Feature Request] Fine grained control on extension auto updates 路 Issue #79689 路 microsoft/vscode

BACKROUND When an extension is updated, I am notified in the sidebar. I always check the changelog before clicking "update". Too often I will waste time by updating to a newer version, which is bug...

GitHub
Show threadConan4h ago

@GossiTheDog

They recently added a feature to control what publishers are allowed

https://code.visualstudio.com/docs/enterprise/policies

Centrally manage VS Code settings with policies

Enterprise policies in Visual Studio Code enable organizations to centrally manage settings for their development teams. This reference details the available policies and how to implement them.

Show threadEpic Null2h ago
@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"
Show threadJonathan Arnold 馃嚭馃嚘4h ago
@GossiTheDog wonder if that鈥檚 why at my company they鈥檝e had a crack down on VS code extensions. Now they have an allow list of extensions that can be installed and nothing else.
Show threadEmily_S4h ago

@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.

https://github.com/emilyselwood/self_deleting_repo

GitHub - emilyselwood/self_deleting_repo: A repo that deletes it self when it opens in an editor.

A repo that deletes it self when it opens in an editor. - emilyselwood/self_deleting_repo

GitHub
Show threadVlad 馃嚭馃嚘4h ago
@GossiTheDog @tymwol Something macros something something word documents 馃幓
Show threadLaura3h ago
@GossiTheDog One day, I might figure out why I'd ever want to install VSCode, but this is not that day. May it rot in hell for completely destroying search results between it and the real VS, both ways.
Show threadStephen Gentle3h ago
@GossiTheDog And the editor itself makes extensions necessary. Like want to highlight trailing white space (something that should be built into a code editor)? Nope, you need to install a random 3rd party extension!
Show threadMacCruiskeen3h ago
@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?
Show threadKevin Beaumont3h ago
@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company 馃槄
Show threadMichael Newton3h ago
@[email protected] @[email protected] also, this is the company that chose to call a flagship product family .NET
Kevin Beaumont (@[email protected])

4.39K Posts, 776 Following, 72.4K Followers 路 Cybersecurity weather person and award winning shitposter. Shitposting is an anagram of Top Insights. You may be surprised to know I am not representing my employer here and these are not their opinions. I have Direct Messages disabled - you can send them, but I will never receive them.

Cyberplace
Show threadneffo2h ago
@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)3h ago

@GossiTheDog

VS Code started to be a thing people used when I was at MS. A lot of folks were using the remote extensions for working in Azure VMs. I saw that there was an open issue about FreeBSD support, so I reached out to some of the folks responsible internally. The things I learned about how that worked made me back away slowly and be very happy I used vim.

Show threadEmily_S3h ago

@GossiTheDog One of the top 10 extensions, with 73 million downloads, looks like its owned by a single dev on his personal github account.

I wonder how many fishing attempts he gets per day.

Show threadStoneBear 2h ago

@GossiTheDog ....

.......

and here I thought npm was bad. Sweet moldy cheezus on stale wonderbread with a radiator moonshine chaser and a frop stash full of ergot.